How SOC 2 Helps Secure Your Software Supply Chain

Many construction industry firms have invested heavily in cyber security measures to protect infrastructure and critical information. Security and privacy are the main concerns for the construction industry as threats have significantly increased. According to security audit firm A-LIGN, 73% of organizations have experienced data leakage and spillage in the last 12 months. However, security risk extends beyond the firm. A firm’s software applications, now called the software supply chain, may also introduce security issues.

Although cyber security is a top priority for most AECO firms, there are hidden vulnerabilities that often go undetected. Third-party software providers are an extension of the firm and may be a weak link in the security chain. If software providers do not take appropriate measures to protect their customer’s data, sensitive information may be exposed or leaked.

Issues with software chain security continue to grow. The National Institute of Standards and Technology (NIST), issued an executive order in May 2021 acknowledging the increasing number of software security risks throughout the software supply chain. “Federal departments and agencies become exposed to cybersecurity risks through the software and services that they acquire, deploy, use, and manage from their supply chain (which includes open-source software components). Acquired software may contain known and unknown vulnerabilities as a result of the product architecture and development life cycle.”

This is not just a problem for the Federal Government. It is a problem for all industries. Software providers for the construction industry often store sensitive information on cloud-hosted servers, including building plans and specifications. In addition, electronic information is transferred between external project team members numerous times a day.  Data that is “in transit” is at risk if it is not encrypted. Also, ensuring that information is being sent to the correct authorized party is a key security factor. This is where Multi-authentication (MFA) security adds a layer of security so that information does not fall into the wrong hands.

But how do you know if your software provider is protecting your information? Enter SOC 2 certification.

Construction firms can extend their security by verifying the security measures and practices of their software providers. Similar to NIST security standards, SOC 2, developed by the American Institute of Certified Public Accountants (AICPA), audits and documents the effectiveness of a software provider’s internal processes and cybersecurity controls. It is a rigorous auditing procedure that ensures software providers securely manage and protect customer data. There are three levels of SOC certification: SOC 1, SOC 2, and SOC 3. While SOC 1 focuses on financial controls and financial reporting, SOC 2 and SOC 3 focus on a company’s IT, operational, and organizational controls.

Customers and stakeholders use SOC 2 and SOC 3 reports to gain confidence and place trust in an organization’s systems. However, the SOC 2 report includes the details of the processing and controls tests performed by the independent auditor and the results of those tests.

The SOC 2 certification has become the de facto standard.  It is a U.S. security certification that defines criteria for managing customer data.

The SOC 2 certification audit covers five specific Trusted Service Criteria including security, availability, processing integrity, confidentiality, and privacy.

Security Organization Imperva outlines the five specific principles of SOC 2:

The terms “compliance” and “certification” are often used interchangeably. But there is a difference. Certification means that an independent third party has physically evaluated, tested, and certified the product or service to be in conformance with all the requirements of the standard. SOC 2 certification requires an independent auditor’s assessment and testing of the five specific trust principles outlined above.

A software provider may adhere to the trust principles and state that they are in compliance. However, “compliance” is not audited and verified by an independent authority.  Compliance is basically a self-audit.

Newforma has recently achieved SOC 2 certification in order to better protect customer data and privacy.

The certification of Newforma’s policies, procedures, and infrastructure controls went through an extensive review process over a three-month time period by the independent, third-party certified auditor A-LIGN.

Security and privacy concerns continue to be a top priority for the construction industry, and many firms are looking for software providers to be more transparent regarding security and privacy. In addition, the federal government, infrastructure, and classified projects are requiring evidence of security controls in order to win project bids.

“Newforma customers can be assured that their data, passwords, and access are secure and protected”, states Johnathon Kinville, Newforma’s Director of Security. “Newforma continues to lead the AECO software market for security best practices.”